Overview
NIST CSF 2.0, released in February 2024, is the most significant update to the framework since its original publication in 2014. The addition of the Govern function, expanded applicability beyond critical infrastructure, and updated guidance for supply chain risk management make this the most comprehensive version yet. This guide covers all six core functions, explains how to use the framework profiles and tiers, and provides practical implementation advice for organizations of any size.
CSF 2.0 Core Functions
| Function | Purpose | Key categories |
|---|---|---|
| Govern (GV) | Establish and monitor cybersecurity risk management strategy | Context, strategy, policy, roles, oversight, supply chain |
| Identify (ID) | Understand assets, business context, and risks | Asset management, risk assessment, improvement |
| Protect (PR) | Implement safeguards for critical services | Identity management, awareness, data security, platform security |
| Detect (DE) | Discover cybersecurity events timely | Continuous monitoring, adverse event analysis |
| Respond (RS) | Take action on detected incidents | Incident management, analysis, mitigation, reporting |
| Recover (RC) | Restore capabilities after incidents | Recovery plan execution, communication |
What Changed in CSF 2.0
- Govern function added as a new sixth function elevating cybersecurity governance to the same level as technical controls
- Scope expanded from critical infrastructure to all organizations regardless of sector or size
- Supply chain risk management integrated throughout the framework rather than treated as a standalone topic
- Community profiles introduced to help specific sectors create shared implementation guidance
- Organizational profiles enhanced to support current state and target state mapping
- Improved measurement and assessment guidance for tracking cybersecurity posture improvement
Framework Tiers
CSF Tiers describe how an organization views cybersecurity risk and the processes in place to manage it. Tier 1 (Partial) means risk management is ad hoc and reactive. Tier 2 (Risk Informed) means risk management practices are approved by management but may not be organization-wide. Tier 3 (Repeatable) means policies are formally documented and consistently followed. Tier 4 (Adaptive) means the organization proactively adapts based on lessons learned and threat intelligence. Tiers are not maturity levels and do not imply progression. Select the tier that reflects your risk appetite and operational reality.
Building Your Organizational Profile
- Create a current profile documenting which categories and subcategories you currently address
- Define a target profile based on your risk appetite, business requirements, and regulatory obligations
- Identify gaps between the current and target profiles
- Prioritize gap remediation based on business impact and resource availability
- Create an implementation action plan with milestones and responsible parties
- Review and update profiles annually or after significant organizational changes
Implementation Strategy
Start with the Govern function since it sets the foundation for everything else. Ensure leadership understands and supports the cybersecurity strategy. Then conduct a thorough risk assessment under the Identify function. Use the results to prioritize investments across Protect, Detect, Respond, and Recover. Do not try to implement every subcategory at once. Focus on the categories that address your highest risks first and expand coverage iteratively. Use the framework as a communication tool with leadership and the board to translate technical program status into business terms.
Frequently Asked Questions
Is NIST CSF 2.0 mandatory?
CSF remains voluntary for most private-sector organizations. However, it is referenced in regulations, insurance underwriting, and customer security requirements. For federal agencies, it is mandatory under Executive Order 13800.
How does CSF 2.0 relate to NIST SP 800-53?
CSF provides the strategic framework for managing cybersecurity risk. SP 800-53 provides the detailed catalog of security and privacy controls. CSF subcategories map to specific 800-53 controls, allowing organizations to use both together.
Can small organizations use NIST CSF 2.0?
Absolutely. CSF 2.0 was explicitly designed to be accessible to organizations of all sizes. NIST provides specific guidance and quick-start guides for small and medium businesses to adopt the framework without being overwhelmed.
What is the Govern function and why was it added?
Govern covers cybersecurity risk management strategy, expectations, and policy. It was added because effective cybersecurity requires executive support, clear governance structures, and strategic alignment. It elevates governance from an implied activity to an explicit framework requirement.
How do we measure progress against CSF 2.0?
Use organizational profiles to track current versus target state for each category. Assign maturity ratings to each subcategory. Review progress quarterly and report to leadership using the Govern function metrics. Third-party assessments can validate internal ratings.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.